Iphone App: SSL and WebService - iphone

I have to develop a little App and I'm handling secure data so i need a secure connection between my App and the database.
My thoughts were that I'm using a SSL Connection between the App and the Webservice and the Webservice does the database queries.
But there is another thing. Before you can access to the data you have to log in. There are different User groups (the relation between user and group is in the database) and i also want to know if there is a user logged in. Therefore i want to use a session. I'm new to session stuff, but my thoughts were:
The User opens the App
He logs in with his user-credentials
App connect over SSL to the webservice. Webservice checks the credentials and if they are okay the service gets the requested data from the db and generates a session id which can identify the logged in user. This package goes back to the app.
If the App needs new data it opens again an SSL channel and sends the request consisting of the session id and the query
Someone has a better idea doing that stuff? Which frameworks do you suggest for that stuff?

Related

building a service with an android app, an iOS app, and an API backend, all of which access the Facebook Graph API

i'm trying to build a server with a rest api and database.
it has ios and android clients, where you can log in with facebook.
the server can receive the access token that the clients get when they log in for the first time, and send it to the server. the server stores it in the database.
now the server can make graph api calls on the clients behalf.
but here's my question:
the next time the client asks the server to do something on it's behalf, what info must it send so that the server knows who the client is? is it just the access token again?
thank you
Just the access token is enough to uniquely identify the user and the app.
You could try it by hitting graph.facebook.com/v2.10/me?fields=id&access_token=... with different tokens to check which user it is and whether the token is still valid.
Off topic, but since you're already using the server as the middle-man for your requests, I suggest using the code flow instead of token flow for added security: https://developers.facebook.com/docs/facebook-login/security#appsecret

Connection to MSSQL database for secure login in Objective C

I want to make an app having financial Transactions for iPhone.So, my first target is to make a login page(and that's where my problem starts):-
The Admin or customer Details are stored in MSSQL DB.Now, when the client enters his username and password in my app, i want to verify these Credentials. So how can i do this?
Acc. to my little knowledge, i cannot connect to the DB directly, I need some web service or something as a middleware(but don't know what).I cannot parse the url directly to check the credentials as it will not be safe.Did we have to Encrypt the Credentials of client and if yes then how can i retrieve and verify the Login?
Any Sample, Links or anything will be helpful.
Create a .net site with a login.aspx web service page where you will handle authentication for the app. Make sure to get a HTTPS/SSL cert set up on your site as well.
Call me overly cautious, but I hate the idea of direct web server database access from a client app, I always like a middle layer of control/protection.
Edit
for example, you app can make server calls similar to this (using POST of course): yoursite.com/webservice/Login.aspx?username=chucknorris&password=somepassword&appkey=679384820473487746
Then on your Login.aspx page (or other pages for that matter) you would check for the POST variables (username, password, etc) and ask the database if they match. If they do then have the page return a success message, or do whatever additional processing you desire.
On multiple page requests within a certain amount of time, you can optionally use session states or go the more RESTful type of route, both are easily researched via Google.
POST + SSL is a must for basic security measures.

iPhone development- how to authenticate a user through a remote service?

I am developing an iPhone application and a website simultaneously. I plan on making an API for the website so that the app can send a URL request to get things done. For example, they send a request to www.example.com/journal/add/1 and it will add the item with id 1 to their journal.
What I don't know, is how to do I authenticate them through the iPhone application? I would like them to login just once and have it save their "session". Should I just store the username/password in a plist, and then authenticate them every time they make a request (so I would have to send their username and password hash through every request, like www.example.com/journal/add/1/user/hash? Seems hacky.
You can try oauth, or implementing a simple key system, where logged in users get a key to make subsequent requests with, either way you can refer to the facebook, twitter, youtube apis, you can see how they do it, get some ideas from there (they are all pretty similar) though they concentrate on letting external users make the calls, but you can still do something similar...
instead of keeping their login and pass you should keep sessionid (make it using time, login and md5 checksum)
so first, do normal authorization with your php script (you will need to use database), if it's successful, return sessionid to iphone client. iphone client stores it locally. then next time user starts app you check if sessionid is there: if yes, you send it to your server for authentication. Server checks if sessionid is in the database - if YES, it returns success to client and updates session id in database (remember that you can sessionids can be time stamped, so user will have to relogin if there was long inactivity)
sounds complicated but it's not that bad ;)

session management and one-time user login - iphone

I'm creating an iphone app where the user logins once (when they open the app for the first time), then will never have to login again (like how instagram does it). The app will automatically log them in the next time they open it up. However, the app makes a bunch of requests to a web server.
What is the best way for the server to issue session tokens? How long should the session tokens be valid for? How can I ensure the user never has to log in again, while still providing secure session tokens.
One approach is for the server to issue a token to the user when the user logs in for the first time, and make that token permanent. That, however, does not seem secure.
Thanks for the help!
Well, generally the session is already handled through session cookies. Unless you're planning to have third parties connect to your service, I think it's a bit overkill to do anything besides basic http authentication. I would definitely send all of your connection requests over an https connection though.
As far as persisting the session on the iPhone side, you can save the user and password in the Keychain, and then automatically retrieve and send it to the server when it requires you to log in again, without having to prompt the user to log in again. How often you want the sessions to last on the server end is really up to you.
What is the best way for the server to issue session tokens?
One way to do it is using OAuth. It is more complex than cookies but it has more features.
A token is granted to each application and can be revoked by the user from a page in the server. This token can be permanent or temporary. You can store it as plain text or inside the iPhone keychain, depending on the level of security you need. There is open free code for server and client implementations. Another benefit is that clients can log in your service using their Twitter/Facebook/... account so they don't need to register on your site.

How to manage user login with a webserver in iOS?

I'm building an app that performs similar functionality that one website does: register, login, submit order, view orders and etc. Now, do I have to do anything explicitly in order to get things working?
After successful login, a webserver establishes a session and sesssion ID and related session info is written to related cookie. IMHO, I just need to call webservice with login credentials and then the rest will be done implicitly. After successful login, every requested user page from user area will be checked with sent cookies and session file at server side. So, do I have to do anything else in order to get into secure area?
Agree with what #sicKo has said. Remember, sending data over wireless network is not secure. Do be careful on the transactions when money and authentication involved.
In addition to what #sicKo has said, you may now consider the coming iOS5, store the value at iCloud.
You just have to send the value to verify the user to the webserver.. and u can keep the session alive in iPhone using NSuserdefault..
U might want to encrypt the sensitive data send over the network such as username and password.